Strengthening IAM Security for Cloud IaaS Accounts

Cloud IaaS providers like AWS, Azure, OCI, and GCP operate on a shared responsibility model. While they secure the underlying infrastructure, You, as a customer, are responsible for protecting data, applications, and access management. The rapid adoption of cloud services has made IaaS a prime target for cybercriminals. According to a recent study by IBM, misconfigurations in cloud services are responsible for billions of exposed records annually.

The article covers important CIS hardening strategies for securing OCI cloud accounts and focusing on identity and access management. Effective IAM is the cornerstone of cloud security as it ensures that only authorized users can access your cloud resources and that they have only the permissions necessary to perform their tasks. Neglecting this responsibility can lead to data breaches, financial losses, and reputational damage.

Password Policy

Password policies in OCI form your first line of defense against unauthorized access. The CIS benchmark recommends a minimum length of 14 characters with a mix of uppercase, lowercase, numbers, and special characters. Implementing password expiration (90 days) and history (24 passwords) prevents password reuse and ensures regular updates. The lockout mechanism (5 failed attempts) protects against brute force attacks. These configurations significantly reduce the risk of credential compromise while maintaining user accessibility.

Let’s write a short snippet to configure the above password policy requirement and enforce it on your OCI Tenancy account in Terraform. In the code below, we set up an OCI environment, including a Tenancy OCID, User OCID, Private key file, and Region identifier:

# Provider configuration
provider "oci" {
  tenancy_ocid     = var.tenancy_ocid
  user_ocid        = var.user_ocid
  fingerprint      = var.fingerprint
  private_key_path = var.private_key_path
  region           = var.region
}

# Authentication Policy
resource "oci_identity_authentication_policy" "auth_policy" {
  compartment_id = var.tenancy_ocid

  password_policy {
    minimum_password_length     = 14
    is_lowercase_characters_required = true
    is_uppercase_characters_required = true
    is_numeric_characters_required   = true
    is_special_characters_required   = true
    minimum_password_age_in_days     = 1
    maximum_password_age_in_days     = 90
    password_history_count           = 24
  }

  lockout_policy {
    maximum_login_attempts     = 5
    lockout_duration_in_minutes = 30
    lockout_type              = "PERMANENT"
  }
}

The Terraform code defines the exact configuration in line with CIS benchmarks for password policy. This ensures that the password policy is enforced and cannot be bypassed by any OCI user account.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) adds a crucial second layer of security beyond passwords by requiring users to provide two or more verification factors. In OCI, this typically involves something users know (password) and something they have (mobile device for token generation). CIS benchmarks mandate MFA for all users, especially those with administrative privileges. This effectively prevents unauthorized access even if passwords are compromised, as attackers would need physical access to the second authentication factor.

To enhance security, let’s enable MFA for all users, as recommended by the CIS benchmarks. The Terraform code below sets up MFA policies and checks compliance:

# MFA Configuration Policy
resource "oci_identity_policy" "mfa_policy" {
  name           = "mfa-policy"
  description    = "CIS compliant MFA policy"
  compartment_id = var.tenancy_ocid

  statements = [
    "Allow group Administrators to use mfa-token in tenancy",
    "Allow group Users to use mfa-token in tenancy"
  ]
}

# Custom terraform script to check MFA compliance
locals {
  mfa_check_script = <<EOF
#!/bin/bash
oci iam user list --all \
  --query "data[?@.lifecycle-state=='ACTIVE']" \
  --output table \
  --auth api_key
EOF
}

resource "local_file" "mfa_check" {
  filename = "mfa_compliance_check.sh"
  content  = local.mfa_check_script
}

IAM Group Management

Groups in OCI provide a scalable way to manage user permissions through role-based access control (RBAC). Instead of assigning permissions to individual users, administrators create groups with specific policies (like NetworkAdmins or SecurityAdmins) and add users to these groups. This approach simplifies access management, reduces human error, and makes it easier to audit permissions. Regular group membership reviews ensure proper access levels are maintained.

In the following Terraform code, we create IAM groups for different roles and define policies that ensure proper access management:

# Create standard IAM groups
resource "oci_identity_group" "admin_group" {
  name           = "administrators"
  description    = "CIS compliant administrator group"
  compartment_id = var.tenancy_ocid
}

resource "oci_identity_group" "security_admin_group" {
  name           = "security-administrators"
  description    = "CIS compliant security administrator group"
  compartment_id = var.tenancy_ocid
}

resource "oci_identity_group" "network_admin_group" {
  name           = "network-administrators"
  description    = "CIS compliant network administrator group"
  compartment_id = var.tenancy_ocid
}

# Create policies for each group
resource "oci_identity_policy" "admin_policy" {
  name           = "admin-policy"
  description    = "CIS compliant administrator policy"
  compartment_id = var.tenancy_ocid

  statements = [
    "Allow group administrators to manage all-resources in tenancy where request.user.mfa.is_activated = 'true'",
    "Deny group administrators to manage all-resources in tenancy where request.user.mfa.is_activated != 'true'"
  ]
}

resource "oci_identity_policy" "security_admin_policy" {
  name           = "security-admin-policy"
  description    = "CIS compliant security administrator policy"
  compartment_id = var.tenancy_ocid

  statements = [
    "Allow group security-administrators to manage security-lists in tenancy",
    "Allow group security-administrators to manage network-security-groups in tenancy",
    "Allow group security-administrators to manage policies in tenancy",
    "Allow group security-administrators to manage users in tenancy",
    "Allow group security-administrators to manage groups in tenancy"
  ]
}

User Lifecycle Management

User lifecycle management encompasses the entire user account journey from creation to deactivation. CIS benchmarks recommend automated processes for detecting and deactivating inactive accounts (90+ days without login), regular access reviews, and documented procedures for creating/removing accounts. This systematic approach prevents unauthorized access through obsolete accounts while ensuring legitimate users maintain appropriate access levels throughout their tenure.

Let’s automate user management by creating user accounts and assigning them to the appropriate IAM groups. The following Terraform code creates a compliant user and sets up their group membership:

# Create example user with security settings
resource "oci_identity_user" "compliant_user" {
  name           = "compliant-user"
  description    = "CIS compliant user example"
  email          = "user@example.com"
  compartment_id = var.tenancy_ocid

  capabilities {
    can_use_api_keys             = false
    can_use_auth_tokens          = false
    can_use_console_password     = true
    can_use_customer_secret_keys = false
    can_use_smtp_credentials     = false
  }
}

# User Group Membership
resource "oci_identity_user_group_membership" "user_group_membership" {
  user_id  = oci_identity_user.compliant_user.id
  group_id = oci_identity_group.security_admin_group.id
}

# API Key Rotation Policy
resource "oci_identity_policy" "api_key_rotation" {
  name           = "api-key-rotation"
  description    = "CIS compliant API key rotation policy"
  compartment_id = var.tenancy_ocid

  statements = [
    "Allow group administrators to manage api-keys in tenancy where request.user.mfa.is_activated = 'true'",
    "Deny group administrators to manage api-keys in tenancy where request.user.mfa.is_activated != 'true'"
  ]
}

Monitoring and Logging for IAM

IAM monitoring and logging provide visibility into who's accessing what and when. CIS recommends enabling comprehensive audit logging for all IAM actions, setting up alerts for suspicious activities (like multiple failed logins), and maintaining logs for at least 90 days. Regular log analysis helps detect potential security incidents, ensures compliance, and provides valuable insights for security improvements. Automated alerts ensure immediate response to potential security threats.

Let’s enable audit logging and set up alerts to monitor suspicious IAM activities. This Terraform configuration ensures that any failed authentication attempts trigger an alert:

# Create IAM audit logging
resource "oci_logging_log_group" "iam_log_group" {
  compartment_id = var.tenancy_ocid
  display_name   = "iam-audit-logs"
  description    = "CIS compliant IAM audit logging"
}

resource "oci_logging_log" "iam_audit_log" {
  display_name = "iam-audit-log"
  log_group_id = oci_logging_log_group.iam_log_group.id
  log_type     = "SERVICE"

  configuration {
    source {
      category    = "audit"
      resource    = var.tenancy_ocid
      service     = "iam"
      source_type = "OCISERVICE"
    }
    compartment_id = var.tenancy_ocid
  }

  retention_duration = 90
  is_enabled        = true
}

# Create alerts for suspicious IAM activities
resource "oci_monitoring_alarm" "iam_alert" {
  compartment_id        = var.tenancy_ocid
  display_name          = "iam-suspicious-activity"
  is_enabled           = true
  metric_compartment_id = var.tenancy_ocid
  namespace            = "oci_iam"
  query                = "IAMAuthenticationEvents.Failed.Count[1m].sum() > 5"
  severity             = "CRITICAL"

  body    = "Multiple failed IAM authentication attempts detected"
  message_format = "ONS_OPTIMIZED"
  pending_duration = "PT5M"
}

Key Takeaway

Securing your OCI resources is an ongoing process that requires vigilance, expertise, and a proactive approach. Implementing the above IAM strategies in your OCI account can significantly enhance your cloud security posture and protect your infrastructure assets. Remember, in cloud computing, security is not just an IT issue — it's a business impact.

As cloud technologies continue to evolve, so too must your security practices. Stay informed about the latest security features offered by your cloud provider. With the right approach, you can harness the full power of cloud IaaS while maintaining a robust security posture.